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MEMORANDUM  FOR  SECRETARIES  OF  THE  MILITARY  DEPARTMENTS 

CHAIRMAN  OF  THE  JOINT  CHIEFS  OF  STAFF 
UNDER  SECRETARIES  OF  DEFENSE 
DIRECTOR,  DEFENSE  RESEARCH  AND  ENGINEERING 
ASSISTANT  SECRETARIES  OF  DEFENSE 
GENERAL  COUNSEL  OF  THE  DEPARTMENT  OF  DEFENSE 
INSPECTOR  GENERAL  OF  THE  DEPARTMENT  OF  DEFENSE 
DIRECTOR,  OPERATIONAL  TEST  AND  EVALUATION 
ASSISTANTS  TO  THE  SECRETARY  OF  DEFENSE 
DIRECTOR,  ADMINISTRATION  AND  MANAGEMENT 
DIRECTORS  OF  THE  DEFENSE  AGENCIES 

SUBJECT:  Information  Assurance  (IA)  Training  and  Certification 

Recent  attacks  against  the  Department’s  information  infrastructure  have  heightened 
awareness  of  the  importance  of  training  as  a  critical  component  of  protecting  the  Department’s 
information  resources  against  modern  day  cyber  attacks.  Because  of  the  shared  risk  environment 
created  by  highly  connected  and  interdependent  Department  of  Defense  (DoD)  information 
systems,  it  is  imperative  that  all  individuals  using,  administering,  and  maintaining  these  systems 
understand  the  threats  to  the  Department’s  systems  and  the  policies,  procedures,  and  equipment 
designed  to  mitigate  these  threats.  Although  training  for  all  employees  using  DoD  computer 
systems  is  already  mandated  by  statute  and  Department  regulation  (see  attachment  1),  many 
individuals  using  these  systems  or  performing  the  duties  of  system  administrators  and 
maintainers  lack  a  sufficient  level  of  training  to  ensure  the  adequate  protection  of  DoD’s 
information  resources. 

Since  adequate  levels  of  IA  directly  relate  to  operational  readiness  and  mission  success, 
the  Senior  Civilian  Official  (SCO)  of  the  Office  of  the  Assistant  Secretary  of  Defense  for 
Command,  Control,  Communications  and  Intelligence  (OASD(C3I))  has  asked  the  Under 
Secretary  of  Defense  for  Personnel  and  Readiness  (USD(P&R))  to  address  DoD’s  overall  IA 
training  and  professionalization  needs.  The  OUSD(P&R)  will  work  with  the  DoD  Components 
to  identify  a  common  set  of  IA  training  and  certification  requirements  for  military  and  civilian 
occupational  specialties.  This  process  will  guide  efforts  by  DoD  Components  to  collaborate  in 
the  development  of  a  coherent  set  of  formal  IA  training  and  certification  plans  and  programs  to 
meet  their  operational  needs. 

In  the  meantime,  heads  of  the  DoD  Components  must  ensure  full  compliance  with 
training  responsibilities  for  military  and  civilian  personnel.  Heads  of  the  DoD  Components  shall 
demonstrate  full  compliance  through  the  development  and  implementation  of  certification  plans 
and  procedures  for  all  DoD  military  personnel  and  civilian  employees  who  use  DoD  computer 
systems  or  perform  the  duties  of  system  administrators  and  maintainers. 
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Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and  maintaining  the  data 
needed,  and  completing  and  reviewing  this  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information,  including  suggestions  for  reducing  this  burden  to 
Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1 21 5  Jefferson  Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork 
Reduction  Project  (0704-0188),  Washington,  DC  20503 
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The  Director  (Administration  and  Management)  (DA&M)  shall  develop  and  implement 
certification  plans  and  procedures  for  the  Office  of  the  Secretary  of  Defense  (OSD)  Components. 
The  goal  of  these  plans  should  be  to  certify  all  DoD  military  and  civilian  employees  who  use 
DoD  computer  systems  or  perform  the  duties  of  system  administrators  and  maintainers  of 
classified  networks  by  January  1999  and  all  other  networks  by  December  2000.  The  plans  shall 
be  submitted  within  45  days  of  the  date  of  this  memorandum  to  the  OASD(C3I),  Attention: 
Director,  Information  Assurance.  The  DoD  Components  shall  use  the  attached  “Certification  of 
Users,  System  Administrators,  and  Maintainers”  (attachment  2)  as  interim  DoD  guidance. 
Certification  plans  must  be  accompanied  by  a  “Certification  Assessment”  that  follows  the  format 
outlined  in  the  attached  DoD  guidance. 

The  DoD  Components  and  DA&M,  on  behalf  of  OSD,  shall  report  progress  against  their 
plans  to  the  Director,  IA  on  a  quarterly  basis.  The  first  of  these  quarterly  reports  shall  be 
provided  by  September  30,  1998,  and  the  second  by  December  31,  1998.  All  subsequent  reports 
shall  be  submitted  by  the  last  day  of  the  quarter.  The  Joint  Staff  (J6)  and  Director,  IA  shall 
provide  a  progress  report  to  the  DoD  Chief  Information  Officer  no  later  than  January  21,  1999. 

Interim  guidance  regarding  the  certification  of  DoD  contractors  shall  be  provided 
separately. 


Arthur  L.  Money 
Senior  Civilian  Official 
Office  of  the  Assistant  Secretary 
Of  Defense  (C3I) 


Rudy  de  Leon 

Under  Secretary  of  Defense 

(Personnel  and  Readiness) 
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